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Top Threats and Trends 


September 2021 
Insights into the growing number 


of automated attacks 


Not all bots are created equal. While some 
bots, such as search engine crawlers, 

are good, bad bots are built to carry out 
malicious attacks at scale. Traffic from 
these bad bots is exploding, and this 
in-depth report explores emerging traffic 
patterns, live examples of bot behavior and 
detection, and the steps you should take to 
protect your business.» 


Your journey, secure 


VG Barracuda. 
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Introduction 


Over the past few years, automated bot traffic has grown rapidly. Once used primarily by search 





engines, bots now have a variety of uses — both good and bad. The good bots are primarily 





search engine crawlers, social network bots, aggregator crawlers, monitoring bots, etc. These 


bots obey the website owner’s rules as specified in the robots.txt file, publish methods of 





validating them as who they say they are, and work in a way to avoid overwhelming the websites 


and applications th 


ey visit. 


Bad bots are built to perform various malicious activities. They 


range from basic scrape 


s that try to get some data off an 


application (and are easily blocked) to advanced persistent 


bots that behave almost 


ike human beings and look to evade 


detection as much as possible. These bots attempt attacks such 





as web and price scrapin 
attacks, distributed denia 


g, inventory hoarding, account takeover 
| of service (DDoS) attacks, and much 





more. Bad bots make up 
today, and detecting and 
to businesses. 


a significant part of website traffic 
blocking them is of critical importance 


Barracuda researchers have analyzed the traffic patterns 





measured by Barracuda application security solutions over the 
first six months of 2021, and in this report we'll share the insights 
they uncovered both in terms of traffic trends and live examples 


of bot behavior and detection. 
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TRAFFIC TRENDS 


Traffic Trends 


Insight 1: Bots make up 64% of internet traffic 


Automated traffic makes up nearly two-thirds of internet traffic, However, our measurements show that nearly 40% of traffic in 

as measured by Barracuda technology over the first six months total was from bad bots. These bad bots include both basic web 
of 2021. Roughly 25% of this traffic is from known good bots scrapers and attack scripts, as well as advanced persistent bots. 
— ones like search engine crawlers, social network bots, and These advanced bots try their best to evade standard defenses 
monitoring bots. and attempt to perform their malicious activities under the radar. 


In our dataset, the most common of these persistent bots were 
ones that went after e-commerce applications and login portals. 


Traffic distribution: Bots vs. humans Distribution by month 
(January — June 2021) 
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TRAFFIC TRENDS 


Insight 2: North America accounts for the 
largest portion of bad bot traffic — and 
most of it originates from data centers 





Most of the bad bot traffic comes in from data centers’ IP ranges. set up an account for free with either provider and then use the 

This makes it relatively simple to identify and block these bots. account to set up the bad bots. 

If your application does not expect traffic from a specific data 

center IP range, you can consider blocking it, similar to geo-IP Looking at regional traffic distributions, North America accounts 

based blocking. for 67% of bad bot traffic, followed by Europe and then Asia. 
Interestingly, the European bot traffic is more likely to come in 

From our sample set, most of the bot traffic was coming in from from hosting services (VPS) or residential IPs than the North 

the two large public clouds — AWS and Microsoft Azure — in American traffic. 


roughly equal measure. This could be because it is easy to 


Geographical sources of bad bot traffic 





E North America | | South America | | Asia 


| | Europe o] Africa || Oceania 
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TRAFFIC TRENDS 


Insight 3: Bad bots follow a standard workday 











In 2020, our researchers found that bad bot traffic typically However, when it comes to bad bots, they follow the standard 
follows the standard workday. Our analysis for the first half of workday — and with good reason. The attackers running these 
2021 confirms this. Good bots follow a normal distribution — they bad bots prefer to hide within the normal human traffic stream to 
don’t vary much, and the traffic rate is fairly constant through the avoid raising alarm bells. The common stereotype of a “hacker” 
day. In the six months we analyzed, a good chunk of this traffic is performing their attacks late into the night in a dark room with 
from monitoring bots, and this lack of variance is expected. green fonts on a black screen has been replaced by people who 


set up their bots to carry out the automated attacks while they go 
about their day. 


Bot traffic in a day 
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Real-life examples of 
bad bots 


Example 1: Pretending to be a known 
vulnerability scanner 


Bad bot posing as a good bot 


20 e 
e 
e 
e 
15 e e 
e 
e e 
10 e e 
e 
e 
e (J 
5 e 
e 
e 
e 
o J 
04:11 04:12 04:13 04:14 04:15 04:16 


Each dot represents a unique URL being accessed. The first group shows that a lot of requests to any URL were made at the same time, and at this point the 
client was stopped. After the first burst, the requests were coming in smaller amounts but only to specific URLs, and the bot was identified using its characteristics. 


























n our analysis, we found this example of a bad bot pretending The bot, however, failed on multiple counts and was caught 

to be a known vulnerability scanner (a good bot). The bad relatively easily. One telltale sign was that the fingerprint of the 
bot was attempting to perform reconnaissance and probe for client did not match that of a known browser. While the custom 
vulnerabilities using some basic attacks. As such, the bot was headers being spoofed were correct, the header order being 
using a standard browser user agent, but it had additional sent by the tool did not fit the expected profile. The bad bot, 
custom HTTP headers that spoofed the headers of a scanner which came in from residential IP addresses, was also visiting 
used by the organization being attacked. pages at random. All these actions together were used to detect 


it and block its persistent attempts quite quickly. 
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REAL-LIFE EXAMPLES OF BAD BOTS 


Example 2: Accessing the login page 
of a medical service provider 


In this example that we detected, the bot was accessing the login The bot was detected based on the header variations that 
page of a medical service provider. Pretending to be Internet differed from the headers of a standard browser. It also stood 
Explorer on Windows 10, this bot was also appending random out due to the fact that the same browser signature was coming 
UTM parameters to the login page URL and coming in from in from multiple AWS IP addresses but accessing only the login 
multiple AWS IP ranges. pages on the application. The giveaway was a brute force 
attempt using stolen credentials. This was caught using our 
credential database, and the bot was blocked from accessing 





the site. 


Brute force attack on a login page 
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This graph shows a sample of the login requests performed by the bot while attempting to brute force the login page. Each dot represents a login attempt. 
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REAL-LIFE EXAMPLES OF BAD BOTS 


Example 3: Web scraping a B2B e-commerce store 


This bot was caught attempting to scrape a lot of information from 
a business-to-business (B2B) e-commerce store in the UK. Th 





bot was coming in as a standard browser and had all its headers 
in order. It was also coming in from a residential IP address, which 
is where the system got its first hint of a problem — this website 


was very rarely accessed by residential customers. In addition, 
the client was detected to be using a Web SDK kit, typically 
used for automation, and these detections, along with the rapid 








traversal of the website, were used to detect and block the bot. 


Pattern of visits in a web scraping attack 
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This graph shows the bot attempting to access the same set of URLs multiple times within a short period of time to scrape data. 


It would perform this pattern multiple times during the day. 
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REAL-LIFE EXAMPLES OF BAD BOTS 


Example 4: Price scraping an e-commerce 


store in Eastern Europe 


In this example, there was a suspected price scraping attempt 
on an e-commerce store based in Eastern Europe. The store 
was running a discount on Apple products, and there were some 
suspicious patterns of behavior in the traffic. The suspicious 
traffic came with standard browser clients, through multiple local 





the traffic patterns were correlated, identified as price scraping 
attempts, and blocked. 





Once these scrapers were blocked, the bad bots started coming 





in with different browser patterns and from IP addresses in 





residential IP addresses. However, these local IP addresses wer 
from VPS hosting providers, and each client would only access 
a standard set of pages. After a few iterations of these requests, 


neighboring countries. The activity was easier to identify this time 
because the new clients used non-standard browser headers and 
they were accessing the same pages and also got blocked. 


Repeating pattern of a price scaping bot 
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Bots were accessing the same set of product URLs multiple times in an hour after the initial burst was blocked. 
Bot changing patterns to try to avoid detection 
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Bots attempting to access a smaller set of product pages in a different browsing pattern multiple times an hour. 
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REAL-LIFE EXAMPLES OF BAD BOTS 


Example 5: Attempting to overwhelm the login 
portal of an Indian manufacturing company 


In this example, the login portal of an Indian manufacturing from a desktop browser that was impersonating a mobile device 
company was seeing unusually high traffic. The traffic was coming while connected to a hotspot. The multiple clients attempting to 
in primarily from mobile networks, which was unusual, but not overwhelm this login page were blocked successfully, and the 
unexpected for this website. However, on further analysis, the page response time came back to normal. 





system determined that the incoming traffic was more likely 





Spikes in traffic to login portal 
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The first few dots were a bot pretending to be human and spreading out its accesses. After that, there are clusters seen, and each dot represents a different 
client attempting to access the login page. 
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BEST PRACTICES TO PROTECT AGAINST BOT ATTACKS 


Best practices 
to protect against 


bot attacks 


Bad bots are a big problem for web and API application owners 
today. These malicious bots attack user accounts, skew analytics, 
scrape data, and destroy customer experience. And ultimately, they 
can lead to a data breach. According to The State of Application 





Security in 2021, bot-based attacks are the most likely contributor 
to successful security breaches resulting from application 
vulnerabilities in the past 12 months. 


When it comes to protecting against newer attacks, such 





as bots, defenders can be overwhelmed at times due to the 
number of solutions required. The good news is that solutions 





are consolidating into WAF/WAF-as-a-Service offerings, also 





known as Web Application and API Protection (WAAP) services. 





To protect your business, as well as your data, analytics, and 
inventory, you need to invest in WAAP technology that identifies 
and stops bad bots in their tracks. This will improve both user 
experience and overall security. 


+ Put proper application security in place. Install a 


web application firewall or WAF-as-a-Service solution and 





make sure it is properly configured. This is an important 
first step to make sure your application security solution is 
working as intended. 


Invest in bot protection. Make sure the application security 
solution you choose includes anti-bot protection so it can 
effectively detect and stop advanced automated attacks. 


Take advantage of machine learning. With a solution that 
uses the power of machine learning, you can effectively 
detect and block hidden almost-human bot attacks. Be sure 
to turn on credential stuffing protection to prevent account 
takeover as well. 
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About Barracuda 


At Barracuda, we strive to make the world a safer place. 


We believe every business deserves access to cloud- 
enabled, enterprise-grade security solutions that are 
easy to buy, deploy and use. We protect email, networks, 
data and applications with innovative solutions that 
grow and adapt with our customers’ journey. 


More than 200,000 organizations worldwide trust 
Barracuda to protect them — in ways they may not 
even know they are at risk — so they can focus on 
taking their business to the next level. 


For more information, visit barracuda.com. 


Yé SELECTION 


Your journey, secured. 


INSIGHTS INTO THE GROWING NUMBER OF AUTOMATED ATTACKS + US 1.0 + Copyright 2021 Barracuda Networks, Inc. e barracuda.com 
Barracuda Networks and the Barracuda Networks logo are registered trademarks of Barracuda Networks, Inc. in the United States. All other names are the property of their respective owners. 





